--- title: "Getting Started with On-premises Connection" slug: "fortanix-key-insight-getting-started-with-on-premises-connection" updated: 2026-06-09T07:45:15Z published: 2026-06-09T07:45:15Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Getting Started with On-premises Connection ## 1.0 Introduction This article helps you get started with the Fortanix Key Insight on-premises connection. It also describes: - How to sign up and log in to Fortanix Armor. - How to access the Fortanix Key Insight solution. - How to set up the on-premises connection to scan resources, certificates, keys, and cryptographic assets from various on-premises infrastructures, including file systems, databases, containers, networks, and source code. ## 2.0 Terminology References *For the on-premises connection concepts and terminologies, refer to*[*On-premises Connection Concepts*](https://support.fortanix.com/docs/fortanix-key-insight-for-on-premises-concepts)*.* ## 3.0 Log In and Create an Account Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you must create an account on the Fortanix Armor platform to get started. ### 3.1 Sign Up and Log In to Fortanix Armor Platform - New Users If you are accessing Fortanix Key Insight for the first time, you must sign up for Fortanix Armor before you can access Fortanix Key Insight. *For detailed instructions to sign up and log in to Fortanix Armor, refer to*[*Getting Started with Fortanix Armor*](/v1/docs/fortanix-armor-getting-started#20-sign-up-on-fortanix-armor-platform-new-users)*.* ### 3.2 Log In to Fortanix Armor Platform - Existing Users If you already have a Fortanix Armor account, log in to the Fortanix Armor platform to access Fortanix Key Insight. *For detailed instructions to log in to Fortanix Armor, refer to*[*Getting Started with Fortanix Armor*](/v1/docs/fortanix-armor-getting-started#30-log-in-to-fortanix-armor-platform-existing-users)*.* ### 3.3 Create an Account After you log in, you must add a new Fortanix Armor account to access the Fortanix Key Insight solution. *For detailed instructions to create a Fortanix Armor account, refer to*[*Getting Started with Fortanix Armor*](/v1/docs/fortanix-armor-getting-started#40-create-an-account)*.* ## 4.0 Access Fortanix Key Insight After creating and selecting your Fortanix Armor account, you are redirected to the **Available Solutions** page in Fortanix Armor. From this page, you can access Fortanix Key Insight. Perform the following steps: 1. Ensure the appropriate region (**European Union** or **North America**) is selected from the **Region** drop down. The selected region determines where your data is processed and stored. It also ensures that connections, scans, and user interface (UI) elements are displayed based on the selected region.*For more information on configuring regions, refer to*[*Fortanix Armor Solutions*](https://support.fortanix.com/docs/fortanix-armor-solutions#22-key-insight)*.* 2. Click **GO TO KEY INSIGHT** to access Fortanix Key Insight and begin onboarding on-premises connections. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_Region Selector.png) **Figure 1: Access Fortanix Key Insight solution** ## 5.0 Configure an On-premises Connection After you access the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard an on-premises connection to scan your cryptographic materials (keys, resources, cryptographic assets, and certificates). ### 5.1 Prerequisites The following are the prerequisites to configure an on-premises connection on Fortanix Key Insight: - **Server Specifications** - The server hosting the scanner must have **at least** **2 virtual Central Processing Units (vCPUs)** allocated. - The server must have a **minimum of** **8 GB** of **Random Access Memory (RAM)** to support the scanner. - The server should have **at least** **20 GB** of **storage capacity** for temporarily storing scanned data. - **Operating System and Libraries** - **Linux**: Supported operating systems include Ubuntu 24.04, RHEL 8, and RHEL 9 (or Rocky Linux 9). The necessary packages are available in **.deb** or **.rpm** formats. - **Windows**: Supported operating systems include Windows Server 2016, 2019, 2022, and 2025. The necessary packages are available in `.msi` format. - **Network Requirements** > [!NOTE] > NOTE > > Although inbound connectivity is required, the Fortanix On-premises Scanner itself does not expose any ports externally. - **Outbound (Fortanix On-premises Scanner → External Services)** The Fortanix On-premises Scanner must be allowed to make outgoing connections to: - *armor.fortanix.com* on port 443 - Databases on their configured ports - The following Internet Protocol (IP) range to communicate back to Fortanix Key Insight: IP whitelisting is not mandatory. It is required only if your on-premises environment enforces outbound firewall restrictions. - `216.180.120.0/24` - **Inbound (File System Scanner Agent (Windows)**or**File System and Network Scanner Agent (Linux) → Fortanix On-premises Scanner)** The Fortanix On-premises Scanner must be reachable from the File System Scanner Agent (Windows) or the File System and Network Scanner Agent (Linux): - Must accept inbound connections from the File System Scanner Agent’s IP on the configured port. For example, `8080` or `1443`. - Firewall or security group rules must allow this traffic. - The service must bind to `0.0.0.0` or its external or private IP, not just `127.0.0.1`. - **Configuration File** The Fortanix On-premises Scanner requires a configuration file that includes a list of databases, source code, containers, and file systems with their corresponding credentials, as well as the Fortanix DSM on-premises credentials. This configuration file is in plain text, and it is your responsibility to secure the file and its credentials. - **Mixed Mode Authentication**: Ensure that Mixed Mode authentication is enabled in MSSQL if you are using Windows Authentication before starting the scan. Perform the following steps to enable the Mixed Mode: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_OnPrem SQL.png) **Figure 2: Enable Mixed Mode authentication in MS SQL** 1. Open **Microsoft SQL Server Management Studio (SSMS)**. 2. Right click the server’s name and select **Properties**. 3. Navigate to the **Security** page. 4. Set **Server authentication** to **SQL Server and Windows Authentication mode**. 5. Click **OK**. ### 5.2 Select Connection Type Perform the following steps to select the on-premises connection type: 1. On the **Select Connection Type**step, select **On-Premises Connections**option. 2. Click **NEXT**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_On-premises Step 1(1).png) **Figure 3: Access On-Premises Connections** > [!NOTE] > NOTE > > You can also add an on-premises connection by clicking **ADD ON-PREMISES SCANNER** in the top-right corner of the **ON-PREMISES** tab on the **Connections** page. ### 5.3 Add On-premises Scanner Perform the following steps to add an on-premises scanner on the **Add On-Premises Scanner** step: 1. **Scanner name:**Enter a name for your on-premises connection. 2. Download, install, and the necessary scanner packages to scan resources, certificates, keys, and cryptographic assets across various on-premises infrastructures, including file systems, networks, databases, containers, and source code. - Download the**Fortanix on-premises scanner package** for Databases, Source Code, Containers, and File System infrastructure types. *For more information on how Fortanix Key Insight integrates with the****Fortanix On-premises Scanner****for different infrastructure types, refer to the following:* - [*Database Scanning Architecture*](/v1/docs/fortanix-key-insight-on-premises-database#30-architecture) - [*File System Scanning Architecture*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-file-system#30-architecture) - [*Source Code Scanning Architecture*](/v1/docs/fortanix-key-insight-on-premises-source-code#30-architecture) - [*Containers Scanning Architecture*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-container#30-architecture) - Download both the **Fortanix on-premises scanner package** and the appropriate agent package for File System and Networks based on your operating system: **File System Scanner Agent (Windows)** or the **File System and Network Scanner Agent (Linux)**. *For more information on how Fortanix Key Insight integrates with the****Fortanix On-premises Scanner****and the****File System Scanner Agent (Windows)****or****File System and Network Scanner Agent (Linux)****, refer to the following:* - [*File System Scanning Architecture*](/v1/docs/fortanix-key-insight-on-premises-file-system#30-architecture) - [*Networks Scanning Architecture*](https://support.fortanix.com/docs/networks#30-architecture) 3. **I have downloaded and installed the Scanner package:**Enable the check box to confirm the scanner installation. 4. Click **NEXT**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_On-prem.png) **Figure 4: Configure an on-premises connection** ### 5.4 Add Key Insight Policy The Fortanix Key Insight **System Defined Policy** is selected by default on the **Key Insight Policy** step. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations. Click **NEXT** to proceed. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI-On-premises Step 3.png) **Figure 5: Select Key Insight policy** Additionally, - Click **ADD POLICY** to add a new user-defined policy to the policy center. - Click ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(135).png) to copy and modify a system-defined policy, converting it into a user-defined policy. *For more information on Fortanix Key Insight policies and features, refer to*[*Cryptographic Policy Management*](https://support.fortanix.com/docs/cryptographic-policy-management)*.* > [!NOTE] > NOTE > > If you change or update the policy instead of the **System Defined Policy**, you must **Rescan** the on-premises connection to apply the new policy. ### 5.5 Select External Key Source On the **Select External Key Source** step, you can select an external key source, such as Fortanix DSM (SaaS or On-premises), to integrate with Fortanix Key Insight for key correlation. Perform the following steps: 1. Select any of the following options: - **Yes, connect now**: Selecting this option allows you to add the external key source for your on-premises connection to correlate keys using the **ADD EXTERNAL KEY SOURCE** feature. *For more information, refer to*[*Getting Started with External Key Source Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-external-key-source-connection)*.* After adding the Fortanix DSM connection, select it from the list. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI-On-premises Step 4.1(1).png) **Figure 6: Add external key source** - **No, I’ll connect later**: Selecting this option allows you to onboard the on-premises connection without adding an external key source. You can add it later if needed. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI-On-premises Step 4.2(1).png) **Figure 7: Proceed without an external key source** 2. Click **ADD SCANNER & GENERATE API KEY**to add the Fortanix On-premises Scanner using the generated API key. You will be authenticating with Fortanix Key Insight using the API key. > [!NOTE] > NOTE > > The Fortanix On-premises Scanner polls to the Fortanix Key Insight platform **every 15 seconds** to check for any new commands or scan results. The frequent polling ensures that the scanner is always up to date with the latest commands and can act on them promptly. 3. In the **API Key** **Details** dialog box, click **COPY API KEY** to copy the API key value. This value is used to authenticate between the Fortanix On-premises Scanner and Fortanix Key Insight. 4. Close the dialog box. The new on-premises connection appears on the **ON-PREMISES** tab on the **Connections** page. The **CONNECTION STATUS** column displays one of the following statuses: - **Connected**: The Fortanix On-premises Scanner package has been successfully added, and all keys and resources have been scanned without issues. - **Pending**: The Fortanix On-premises Scanner package has been added, but resources are still pending. For on-premises connections in this state: - You must use the generated API key to connect with Fortanix Key Insight. - To begin scanning, you need to add the resources after establishing the connection. - **Disconnected**: The Fortanix On-premises Scanner package is connected, but the session has been terminated. For on-premises connections that are disconnected, you will need to restart the scanner to re-establish the connection. 5. If the scanner is successfully connected, you can access the scanned data for an on-premises connection on the Fortanix Key Insight UI. > [!NOTE] > NOTE > > After onboarding the on-premises connection: > > - View the on-premises connection UI (**Overview**, **Assessment**, **Keys**, and so on). You can also******switch the region** using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region. > > *For more information about the on-premises connection UI, refer to***[*User Interface Components*](https://support.fortanix.com/docs/on-premises-connection-user-interface-components)*.* > - Users with the **Account Administrator** and **Group Administrator** roles can manage (edit, delete, rescan, view details, view, copy and regenerate an API key) the connection from the **Connections** page on the **ON-PREMISES** tab. > - Deleting the on-premises connection cannot be undone. > - The **RESCAN** option is available only when the on-premises connection status is '**Connected**'. The supported values are **Connected**, **Pending**, or **Disconnected.** > - On the **View Details** page: > > ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764566326113.png) > > **Figure 8: View on-premises connection details** > - Click **SHOW API KEY**to copy the API key, if required. > - Click **REGENERATE API KEY**to modify the current API key details if the existing API key is no longer suitable for the on-premises connection. > - Download the required scanner packages using **DOWNLOAD PACKAGE**, if not already downloaded, to add and scan keys and resources. > - A group with the same name will be created on the Fortanix IAM **Groups** page. *For more information, refer to*[*Fortanix Armor Identity and Access Management (IAM).*](/v1/docs/fortanix-fortanix-armor-identity-and-access-management-iam) ## 6.0 On-premises Infrastructure Types and Supported Cryptographic Elements After an on-premises connection is successfully onboarded, the **Overview** UI consolidates discoveries from multiple infrastructure types, including file systems, databases, networks, containers, and source code repositories. *For more information on each on-premises infrastructure type, refer to*[*Infrastructure Types*](https://support.fortanix.com/docs/on-premises-infrastructure-types)*.* > [!NOTE] > NOTE > > For on-premises connections, the left navigation panel will display the **Resources** instead of **Services**. The following table summarizes the cryptographic elements supported across different on-premises infrastructure types: | On-premises Infrastructure Type | Keys | Resources | Certificates | Cryptographic Assets | | --- | --- | --- | --- | --- | | **Databases** | **✔** | **✔** | **X** | **X** | | **File Systems** | **✔** | **✔** | **✔** | **✔** | | **Source Code** | **X** | **✔** | **X** | **✔** | | **Containers** | **X** | **✔** | **X** | **✔** | | **Networks** | **X** | **X** | **X** | **✔** | Here, - **✔** indicates the cryptographic element is supported. - **X** indicates the cryptographic element is **not** supported. ## 7.0 Troubleshooting *For information about common issues and troubleshooting steps when configuring and running Fortanix Key Insight in on-premises environments, refer to*[*On-premises Connection Troubleshooting*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-connection-troubleshooting)*.* Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era. Fortanix Armor is a comprehensive cybersecurity solution that protects data and applications across on-premises, hybrid, and multi-cloud environments. It integrates Fortanix solutions into a single unified product, securing data throughout its lifecycle. Built on the **Confidential Computing** **Platform**, it ensures real-time encryption of data at rest, in transit, and during processing. Additionally, it includes platform services such as Identity and Access Management (IAM), Key Management Service (KMS), and Audit and Monitoring to simplify security management. The Fortanix On-premises Scanner is a configuration component installed within an organization’s local infrastructure. It is designed to scan, analyze, and manage sensitive cryptographic data using Fortanix Key Insight. The scanner identifies keys, certificates, and compliance information within on-premises systems. It supports both Linux and Windows platforms, allowing for flexible and secure deployment and visibility across different environments.